summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkcwu <kcwu@chromium.org>2016-09-27 14:06:50 -0700
committerCommit bot <commit-bot@chromium.org>2016-09-27 14:06:50 -0700
commitec7a9455c15b2cebb75a6036c8636beb601e543a (patch)
tree618beba7e39e567e645bbaa0b36ec008c50b5b41
parent5060b2e37b82a2e2907e11685ed2998d06d8b452 (diff)
downloadpdfium-ec7a9455c15b2cebb75a6036c8636beb601e543a.tar.xz
Add fuzzer for jbig2 parsing
Review-Url: https://codereview.chromium.org/2370943004
-rw-r--r--testing/libfuzzer/BUILD.gn15
-rw-r--r--testing/libfuzzer/pdf_codec_jbig2_fuzzer.cc48
2 files changed, 63 insertions, 0 deletions
diff --git a/testing/libfuzzer/BUILD.gn b/testing/libfuzzer/BUILD.gn
index 7049add6c5..e89918b05f 100644
--- a/testing/libfuzzer/BUILD.gn
+++ b/testing/libfuzzer/BUILD.gn
@@ -199,6 +199,21 @@ source_set("pdf_codec_icc_fuzzer") {
]
}
+source_set("pdf_codec_jbig2_fuzzer") {
+ testonly = true
+ sources = [
+ "pdf_codec_jbig2_fuzzer.cc",
+ ]
+ deps = [
+ "//third_party/pdfium:pdfium",
+ ]
+ configs -= [ "//build/config/compiler:chromium_code" ]
+ configs += [
+ "//build/config/compiler:no_chromium_code",
+ ":libfuzzer_config",
+ ]
+}
+
source_set("pdf_jpx_fuzzer") {
testonly = true
sources = [
diff --git a/testing/libfuzzer/pdf_codec_jbig2_fuzzer.cc b/testing/libfuzzer/pdf_codec_jbig2_fuzzer.cc
new file mode 100644
index 0000000000..4416c9e82c
--- /dev/null
+++ b/testing/libfuzzer/pdf_codec_jbig2_fuzzer.cc
@@ -0,0 +1,48 @@
+// Copyright 2016 The PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <cstdint>
+
+#include "core/fpdfapi/fpdf_parser/include/cpdf_stream.h"
+#include "core/fpdfapi/fpdf_parser/include/cpdf_stream_acc.h"
+#include "core/fxcodec/codec/ccodec_jbig2module.h"
+#include "core/fxcodec/include/JBig2_DocumentContext.h"
+#include "core/fxcodec/jbig2/JBig2_Context.h"
+#include "core/fxge/include/fx_dib.h"
+
+static uint32_t GetInteger(const uint8_t* data) {
+ return data[0] | data[1] << 8 | data[2] << 16 | data[3] << 24;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ const size_t kParameterSize = 8;
+ if (size < kParameterSize)
+ return 0;
+
+ uint32_t width = GetInteger(data);
+ uint32_t height = GetInteger(data + 4);
+ size -= kParameterSize;
+ data += kParameterSize;
+
+ std::unique_ptr<CFX_DIBitmap> bitmap(new CFX_DIBitmap);
+ if (!bitmap->Create(width, height, FXDIB_1bppRgb))
+ return 0;
+
+ std::unique_ptr<CPDF_Object, ReleaseDeleter<CPDF_Object>> stream(
+ new CPDF_Stream);
+ stream->AsStream()->SetData(data, size);
+ CPDF_StreamAcc src_stream;
+ src_stream.LoadAllData(stream->AsStream(), TRUE);
+
+ CCodec_Jbig2Module module;
+ CCodec_Jbig2Context jbig2_context;
+ std::unique_ptr<JBig2_DocumentContext> document_context;
+ FXCODEC_STATUS status = module.StartDecode(
+ &jbig2_context, &document_context, width, height, &src_stream, nullptr,
+ bitmap->GetBuffer(), bitmap->GetPitch(), nullptr);
+
+ while (status == FXCODEC_STATUS_DECODE_TOBECONTINUE)
+ status = module.ContinueDecode(&jbig2_context, nullptr);
+ return 0;
+}